Primer

What is PCI DSS?

PCI DSS is the Payment Card Industry Data Security Standard. If your business takes card payments — any card, any way — you're subject to it. Visa, Mastercard, Amex, Discover and JCB all enforce it through your acquiring bank.

The current version is PCI DSS 4.0.1. It has 12 top-level requirements, each with a stack of sub-requirements covering everything from firewall config to staff training. Every merchant who takes cards has to demonstrate compliance, annually, to their acquirer.

What's an SAQ?

SAQ stands for Self-Assessment Questionnaire. It's a short form of the full PCI DSS assessment, designed for merchants who handle card data in specific, well-defined ways. If your environment fits one of the SAQ patterns, you answer that SAQ instead of facing the whole PCI DSS.

There are nine SAQ types in total. Picking the right one matters — each one has different rules about what counts as in-scope, and using the wrong SAQ either makes you do work you didn't need to, or skip work you did.

The nine SAQs at a glance

• SAQ A

  30 reqs

  Card-not-present merchants who have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers.

• SAQ A-EP

  145 reqs

  E-commerce merchants who partially outsource payment processing to a PCI DSS validated third-party and whose website can affect the security of the payment transaction.

• SAQ B

  28 reqs

  Merchants using only standalone dial-out terminals or imprint machines. Not for internet-connected payment systems.

• SAQ B-IP

  51 reqs

  Merchants using standalone IP-connected PTS POI terminals, with no electronic storage of cardholder data.

• SAQ C

  128 reqs

  Merchants with payment application systems connected to the internet, where no electronic cardholder data is stored.

• SAQ C-VT

  55 reqs

  Merchants using only an isolated, browser-based virtual terminal from a PCI DSS validated third-party service provider.

• SAQ D (Merchant)

  252 reqs

  All merchants not included in other SAQ types, or whose payment environment otherwise does not meet the eligibility criteria of another SAQ.

• SAQ D (Service Provider)

  255 reqs

  All service providers defined by a payment brand as eligible to complete an SAQ.

• SAQ P2PE

  22 reqs

  Merchants using only PCI P2PE solution-listed point-of-interaction devices — no access to cleartext cardholder data.

How this app fits in

Paytia Comply gives you a digital checklist for your SAQ. You pick which one you need (or we help you pick if you're not sure), then you work through the requirements one by one, marking each Yes, No, or N/A. You can capture photo evidence on your phone for each requirement and export the whole lot as a PDF for your records or to hand to a QSA.

This app isn't the official SAQ. When you're ready to submit, download the form from the PCI SSC Document Library and follow your acquirer's instructions. We give you the working copy, not the signed submission.

Made by Paytia · Not legal or compliance advice · Confirm with your acquirer